Endpoint Protection

 View Only
Expand all | Collapse all

Auto protect VS Secheduled scans...?

  • 1.  Auto protect VS Secheduled scans...?

    Posted Apr 23, 2009 12:52 PM
    We have a weekly schedule scan set for all out SAV 10 clients, many users have been complaining about the hit on performance that there systems take during this time.  We have Auto protection enabled and I am wondering if I am wasting the users time with a weekly scan....  is there something that a scan gives you that the auto protect doesn't?  Any of the virus issues that have been detected in my time working with SAV have always been flagged by the Auto protect...  I am thinking about removing that weekly scan and would like some insight before I take this step.


  • 2.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 23, 2009 01:16 PM
    It's not good idea to ommit the schedule scan. File System Autoprotect runs on bacground alltime and if you open any file then auto protect checks the file for infection. Schedule Scan should always be performed to allow full scan of your hard disks or external disks on scheduled basis.


  • 3.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 23, 2009 01:17 PM

    You can take that off if you ask me. We have set it up for once a month for most of the machines though we run a sweep occassionally and when we notice large number of threats that are left alone or unknown action.

    Anyway, educate the users about the importance of running a full scan when a threat is detected on their machines. Better if you could create a document and upload it at the portal.
     



  • 4.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 23, 2009 05:23 PM
    I agree with Sandeep.  We too had disabled all of our scheduled scan except for a quick scan at bootup.  What we are doing now with the migration to SEP11 is educating the users of the importance of the scans and running a full scan once a month at 8:00pm, and daily active scans at 8:00pm daily.

    Also if you allow the users to pause of snooze a scan it may make people a little happier because they can pause it until it is convenient to them, say lunch time.


  • 5.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 23, 2009 06:30 PM
    Make the scheduled scans during lunch breaks. We have autoprotect on but still scheduled scans can detect other infections not detected by auto-protect.


  • 6.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 05:34 AM
    Last week somebody of Symantec was over here and he told me the engine uses by scheduled scan and realtime scan are identical.
    The only difference is that you can find 'sleeping' virusses or malware residing on you PC but as soon an infecte file is accessed realtime scan will detect the virus in the file and takes the necessary steps.


  • 7.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 05:34 AM
    Last week somebody of Symantec was over here and he told me the engine uses by scheduled scan and realtime scan are identical.
    The only difference is that you can find 'sleeping' virusses or malware residing on you PC but as soon an infecte file is accessed realtime scan will detect the virus in the file and takes the necessary steps.


  • 8.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 06:31 AM
    Hi,

    If you dump a huge size of folder in your local drive, realtime protection will not fully scan the folder,

    That is why we have to run full scan to clean full folder content.

    If your user having the problem with daily schedule scan so you can schedule by weekly.


  • 9.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 06:56 AM

    How you configure your scans may depend on your business. If your scheduled scans routinely catch viruses, you should stick with a full scan at least weekly. If detections are infrequent, you could consider dropping to a monthly scan but I think it would be unwise in most environments to eliminate scheduled scans entirely. You may also need a scheduled scan to satisfy internal or peer audit, if not external auditors.

    Ths issue is that something can infiltrate the system before definitions are available, and although it should be detected by Real Time Scanning next time it is accessed, you will have no indication of how long it was on the system and where it might have come from or been copied to in the meantime. We have chosen to run a Full Scan each week to sweep these out. The Weekly Scan routinely finds a small number of infections, therefore it is worth the pain and we have educated the users accordingly. We know each week that our systems are as clean as we can make them, and in the event of an outbreak we have a short window of exposure to review.

    The alternative is to rely solely on RTV scanning and wait for an outbreak, then probably have too little information on the source to be able to state with confidence that it has been contained or swept out. Another point to consider is that the weekly scan will sweep out rogue files in an expected time slot so the alerts will not be a surprise. Waiting for RTV scan to find something may result in a flood of alerts and a need for rapid response and investigation just as you want to go home, or at month-end, or some other inappropriate time.



  • 10.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 07:10 AM
    Now we do a full scan saturday evening so users aren't disturbed.
    Before, we did a scan every night but on slow machines this took very long (6 to 7h) so sometimes users would like to start working and the scan was still going on.
    The Symantec guy told me that you can do a full scan every month instead of every week if you also apply NAC on your system.


  • 11.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 08:01 AM
    you should have a schedule Scan. Autoprotect works when an infected file is being accessed. Else it won't.
    I will suggest u to have a schedule scan with the Active or Custome scanning rather than full scan   and u should also set the tunning in advance settings for the better performance.


  • 12.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 09:45 AM
    that true , whenever scan is running system is running slow. so , u configure the client mode in silent mode so the client not seeing the scan progress.


  • 13.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 10:08 AM
    thought I might give a little back ground, currently in our environment we have a weekly schedule scan.  Wednesday at lunch hour.  I have a large user base that works during the lunch hour.  If I scale back how much processor the scan use then it far exceeds the 1 hour time limit, also it is set in silent mode but the users know that something is slowing their systems down.  In the time I have worked here never has a virus been found by a scan that the real time scan didn't find.  I have also found out that users are starting to reboot there systems during this time so they can work.  I would set it for an after hour situation however most of our users shutdown their systems at night so the scan would end up taking place the next time they power up (first thing in the morning is a really bad time for a scan to start).  I also have a weekly scan that run on the file servers that scans all "network" files.


  • 14.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 02:16 PM
    we ran in to issues when we did this. The Helpdesk was flooded with calls when the scan would kick off. If the users is able to see a window showing the scan progress, have been educated on why we do full scans, and are able to pause the scan until it is a little more convenient to them, they call much less often.

    A scheduled scan should be configured, and if it configured for after hours it will get most of the machines that are left on over night and the user will never know. However, if there are a lot of Laptops users, or desktop users who shut thier machines down at night, the scan will pop up as soon as they log in. I guess it all depends on if the users have been educated as to why the scans are happening.




  • 15.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 02:29 PM
     We always do scheduled full scans at lunch to minimize inconvinience to users. I agree with Paul. This is a necessary step that has to be done periodically to ensure everyhting is clean in systems


  • 16.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 02:35 PM
    "Last week somebody of Symantec was over here and he told me the engine uses by scheduled scan and realtime scan are identical.
    The only difference is that you can find 'sleeping' virusses or malware residing on you PC but as soon an infecte file is accessed realtime scan will detect the virus in the file and takes the necessary steps."

    ernieken if they are the same why do they have a difference? your post is weird. Of course they are the same in terms of scanning. they differ on when it is activated. so still they are different.


  • 17.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 03:31 PM

    Each place I've worked has mandated a scheduled scan no less than once a week.
    It's their policy here, too.
    I've found quite often the scheduled scan finds things otherwise missed, or that weren't found when it was placed there because the defs didn't catch it then, but then it gets an update and a day later scans and catches the bugger.
    The engines may or may not be identical, settings CAN be made different.
    You can exclude a lot of files from a scheduled scan and be safe - the CCM cache area among others.
    Schedule the scan to run silently either at lunch or in the evening. I'll NEVER allow a scan at bootup - just WAAY too much going on as Windows starts and connects to the domain, loading profiles, etc.

    Here's the thing - you have the responsibiltiy for the computers being safe and clean - explain that no scan will be bypassed, period. Make is a corporate policy. Schedule it for after hours, and do as we do - computers MUST be left on - besides, that's when updates and patches get installed.

    The scan really doesn't slow down a computer that much IMO - no one here complaines about it.

    I've also found that the scheduled scan for some reason CAN and often does find things missed because some of these critters are pretty good at hiding themselves once in memory.

    I've been at this AV and security stuff since about 88 or so and every version of every AV product from NAV 2 on up has found things during a scheduled scan that real-time may miss. Again, could be multiple reasons like updated defs by the time the scan runs, whatever, but I absolutely will NOT take the risk. Two layers is better than one, and anyone who will rely simply on "careful users", "so-called safe sites" and a single later of autoprotect is taking risks.

    I also can't figure out what NAC has to do with a virus being found or not??  All  that does is mean that the computer is up-to-date on patches and AV defs, nothing more. It doesn't say the computer is clean - only that it should be safer than some may be.

    You guys who believe just running autoprotect is fine and scheduled scans won't make a difference need to spend a few weeks in my spot here.................



  • 18.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 24, 2009 05:12 PM
    I do two weekly scan at my place the first is a quick scan on wed at lunch time this gets a scan on almost all machines with out making a major impact on the users.  The second is a full scan early on saturday morning that is set to expire before business starts on monday.  We do a wake on lan to get all the machines on over the weekend and allow the scan to run on most machines.



  • 19.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 25, 2009 02:26 AM
    I've got about a 1000 machines here, and have auto protect ramped up to full.
    I also do a full weekly scan.

    Guess what - every single week, the full scans pick up stuff the autoprotect missed.
    On average, it's about 20 a week extra - in fact, I get more alerts from my full scan than I do from auto-protect.

    Sure, full scans have a performance hit - strangely though (or perhaps not that strangely) when we hid the scans, 80% of our staff thought we had turned them off and never noticed they were running in the background. When we un-hid them, we got a moderate increase in complaints about machines running slowly - that says a lot more about human perception than it does about technical facts.

    The point made by SP is very valid - regardless of how tempting it is to set your scan to run overnight on the basis that it will auto-run as soon as the machine is switched on if anyone/everyone turns their machine off at night -- I really advise against this.
    Windows machines continue to perform masses of tasks on boot up/log on (services starting, logon scripts, audit catch ups (if you are using audit software), etc, etc) slapping it with a disk/processor/memory intensive process like virus scanning at the same time has an exponentially detrimental affect. Better to run your scan an hour or so after logon.

    Nick



  • 20.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 25, 2009 11:14 AM

    In my opinion, Running a full scan is good in removing the threats which are hiding . Probably which were not detected as Symantec didnt have the definitions for them when they were downloaded or the AP was not working then.

    But the point is what's the loss of these threats being present on the system in a dormant way. When it tries and activate itself it would anyway get caught. And as a matter of fact AP catches more efficiently than the scan as most of the threats today are made up with an efficient packer and it is very easy to evade an AV by using any of the exploit kits and a good packer. Google.ru would give you better results than google.com but the files inside anyway have to be extracted for the execution and that is when the chances are the highest for them getting caught when they load up.

    If you ask me, I don't really believe in scheduled scans as we have educated the users and the prerequites like run a full scan, update the defs, are at the site where they create the ticket.

    And also some of the users who run high end applications like some of the developers and their frameworks, We dont want to hit them on their productivity as no one enjoys working on a slow machine and you recognise immediately when its slow if the machine has been with you for some time. Even with once a month scan we have seen users restarting their machines when the scan is in progress which is definately not cool. But it's true that it cannot be generalized, For some folks scheduled scan might be getting them more out of their AV.









     



  • 21.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 26, 2009 09:36 PM
    Scheduled scan is still vital but consuming PC performance. Please set this during off peeks. Better to group similar programs/ departments and scan them on a staggard basis so that there would be minimum impact.

    Thanks,

    Nel Ramos
     


  • 22.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 27, 2009 12:09 AM
    I have seen Schedule scan detecting threat while autoprotect was there all the time. somehow threats are able to enter the system and then you need scheduled scan .so my advise is not to omit schedule scan.You have set it weekly while i have daily at lunch hour


  • 23.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 27, 2009 07:59 AM
    People will be people. Over lunch, or a break, or even when they get bored with work, they lose or conveniently forget all you have TRIED to teach them. Some simply say "you weren't REALLY talking to me" and thumb their noses at rules and surf anyway.
    Again, in our cases, some of these things come from hacked sites, so in many cases, user education would NOT have prevented the infection!
    When you go to a legit business site and simply visit, or visit the local news site put together by a major company that specializes in doing web sites for TV stations and still get an infection, there is no user education in the world that could have prevented that - other than tell them when they come in in the morning to turn their computer off and don't touch the mouse or keyboard all day.
    I do not know the reason, but I still to this day find things the scheduled scans catch that realtime did not.
    I can give two examples from this last month - computers had "infections" - I used other tools to find the offending files, then copied said files to my quarantine server desktop then submitted them. The AV on the server dind't balk and freely let the files be copied. That night during the server scheduled scans, the files were flagged as infected! I thought great, the defs were updated, so we are fine. NO, I was again able to copy those same files to the desktop - NO trigger from SEP, and again, a scheduled scan caught them. Same scan engine? MAYBE, however, there were two cases where files were allowed to be copied to the desktop, but scheduled scans caught the files as infected.
    Why? Why did AP miss, but the scheduled scan catch them? If they were encrypted in any way, should the scheduled scan not have failed?
    We will never as long as I'm working here get rid of the scheduled scans. I've been doing this for far too many years to ever allow that, I've simply too much experience, have seen to many "exceptions".
    Funny thing - users don't complain about slowness when a scheduled scan is happening - it's usually something else going on.
    It does slow things down a bit, and it is noticable, but since my rule is if they get an infected machine and it takes more than an hour to deal with it - their machine gets taken away while a new one is built for them. They soon learn.............
    Your users must be saints to listen to you and not do a single thing to ever get an infection............. in the real world here, it just don't work that way. And there's no way I'll allow a "dormant" infection to stick around - too many "what ifs" like what if the AP stops working, or what if the defs get corrupted or the service is stopped by another infection (it happens)


  • 24.  RE: Auto protect VS Secheduled scans...?

    Posted Apr 27, 2009 12:34 PM
    Can we receive alerts if AP/AV service is disabled or stopped?

    In my company before, I always perform full scans weekly and It has been very smooth since that. and I have proof that I am doing my job. (Doing the best I can to remove all viruses)


  • 25.  RE: Auto protect VS Secheduled scans...?

    Posted May 18, 2009 03:09 PM
    Our weekly scan is scheduled for 8:00PM.  We instruct our users to leave their machines on...it's part of our policy.   We do this so that we can deploy software, including Windows Updates during the evening.  It also provides a window for us to run things like AV scans, or if we need to troubleshoot a machine we can do it remotely at night rather than have IT folks stay late or force users off of their machines during business hours.

    We have disabled the "retry after missed scans" setting for IT folks and mobile users as a courtesy.  However, if a "regular" user does not follow policy and turns off their machine, then Tuesday mornings the consequenses are of their own doing.


  • 26.  RE: Auto protect VS Secheduled scans...?

    Posted May 18, 2009 05:49 PM
    You still need to do a scheduled scan. This sometimes takes care of malwares that got in. Like those found by auto-protect but got an access denied or left alone.


  • 27.  RE: Auto protect VS Secheduled scans...?

    Posted Aug 31, 2009 02:06 AM
    Realtime scan will scan a file when it is accessed or modified and also during back up. So if you have a virus file which is dorment in the PC it will not scan it.

    Real Time scan will not scan Load points such as Memory loadpoints, system loadpoints etc., and it will not scan files which are already loaded in the memory
    so it is better to run a full system scan which will scan Loadpoints and all the files on the system.

    Quick Scan - Will scan common Load points and also the files which are loaded in the memory, startup files. But it will not scan the full System.

    Thereby it is always good to have a scheduled full system scan.

    :)